Microsoft borks botnet takedown in Citadel snafu

Security researchers are complaining about collateral damage from the latest botnet take-down efforts by Microsoft and its partners.

The Windows 8 giant worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than a thousand botnets.

The botnets in question were using Citadel malware to run cybercrime scams blamed for more than $500m in fraud. The action, authorised by a federal court ruling and carried out last week, involved raids at server-hosting facilities in the US to seize evidence related to the malware.

The takedown – codenamed Operation b54 – is the latest in an ongoing campaign against various zombie networks spearheaded by Microsoft.

In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".

However, this time round Redmond appears to have stepped on the toes of security researchers, killing off honeypot systems monitoring the activities of cybercrooks as well as decapitating systems linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them to a server operated by them, a technique known as “sinkholing”. The technique isn't new and has been previously applied in attempts to seize control of the infamous Conficker botnet, for example.

Redmond and its partners allegedly erred by seizing more than 300 Citadel domains that were sinkholed by abuse.ch (home of the Swiss Security Blog), as well as many hundreds of similar domains controlled by other security researchers, critics complain.

"Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago," a researcher at abuse.ch complains.

Security bods suffer deja-vu

Something similar happened with a ZeuS takedown operation by Microsoft last year, when thousands of ZeuS botnet domains were seized, including several hundred domain names that were already sinkholed by abuse.ch. Previously Redmond had the reasonable excuse that there was no easy way to distinguish between domains run by crooks and domains run by security researchers.

However, the latest action comes after abuse.ch set up a (non-public) Sinkhole Registry for law enforcement and security organisations to avoid similar mixups.

"I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything," the unnamed researcher at abuse.ch laments.

"Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners any more," he added.

The issue is not limited to abuse.ch, as several other sinkhole operators have also been hit: "Calculating the numbers together, I can say that nearly 1,000 domain names out of the 4,000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these 1k domain names did no longer present a threat to internet users [sic], but were actually used to help to make the internet a better place.”

Microsoft is sending out valid Citadel configuration files to the connecting bots. This configuration file causes the block on accessing anti-virus vendors' websites to be removed from infected machines, as well as getting the fall-back (backup) C&C domains to be overwritten by servers operated by Microsoft (microsoftinternetsafety.net).

Although well-intentioned, sending out valid configuration files changes the settings of a computer without the consent or knowledge of the user; a potentially illegal move in many jurisdictions, according to the unimpressed security researcher at abuse.ch, who warns that crooks are inevitably going to attempt to try to seize back control of the botnet.

The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries, according to figures from email security firm Agari, which worked with Microsoft and other on the operation.

Once infected, the victim’s keystrokes were monitored and recorded, allowing crooks to siphon off banking login credentials and other personal information for subsequent fraud. As part of the FBI operation, communication has been cut off between 1,462 Citadel botnets and the millions of infected computers under their control.

Unplugging botnet command and control servers renders a zombie network inert, but does nothing to clean-up infected hosts, which remain contaminated with malware. Microsoft plans to use intelligence gained in Operation b54 to work with ISPs and Computer Emergency Response Teams (CERTs) around the world to quickly and efficiently clean as many computers as possible. ®

Bootnote

Abuse.ch was set up by Swiss security researcher Roman Hüssy, and played a key role in setting up sites to track the activities of malicious activity associated with the ZeuS and SpyEye families of banking Trojans. The Shadowserver Foundation is a collaborative net security effort that tracks and reports on malware, botnet activity and cybercrime. The volunteer-staffed foundation takes data supplied by abuse.ch and many others.